Norwich Credit Union Privacy Notice
We are committed to protecting our members’ privacy. The credit union requires any information marked as mandatory for membership to either meet legal obligations or to enable us to perform our contract with you. Where you are not able to provide us with this information, we may not be able to open an account for you. Where we request further information about you not required for these reasons, we will ask you for your consent.
We take the protection of your data very seriously. We will treat your data with the utmost care and take all appropriate steps to protect it. We have clear data protection and information security policies and procedures in place, along with regulatory and other legal obligations to keep your data safe. Our compliance processes, including these policies and procedures, are regularly reviewed and updated.
The data we collect
The personal data we may collect includes, but is not limited to:
Name including proof of identity
Address including proof of address
Date of birth
National Insurance Number
Bank account details
Phone number
Email address
How we use your personal information
We are only entitled to hold and process your data where allowed by data protection legislation. Norwich Credit Union may process, transfer and/or share personal information in the following ways:
For legal reasons
• confirm your identity
• perform activity for the prevention of financial crime
• carry out internal and external auditing
• record basic information about you on a register of members
For performance of our contract with you
• deal with your account(s) or run any other services we provide to you;
• consider any applications made by you;
• carry out credit checks and to obtain and provide credit references
• undertake statistical analysis, to help evaluate the future needs of our membership and to help manage our business
• To send you statements, new terms & conditions (including changes to this privacy statement), information about changes to the way your account(s) operate and notification of our annual general meeting.
For our legitimate interests
• recover any debts owed to us
With your consent
• maintain our relationship with you including marketing and market research (if you agree to them)
Sharing your personal information
We will disclose information outside the credit union:
• to third parties to help us confirm your identity to comply with money laundering legislation
• to credit reference agencies and debt recovery agents (including the Department for Work and Pensions) who may check the information against other databases – private and public – to which they have access
• to any authorities if compelled to do so by law (e.g. to HM Revenue & Customs to fulfil tax compliance obligations)
• to fraud prevention agencies to help prevent crime or where we suspect fraud; to any persons, including, but not limited to, insurers, who provide a service or benefits to you or for us in connection with your account(s)
• To our suppliers in order for them to provide services to us and/or to you on our behalf
• to anyone in connection with a reorganisation or merger of the credit union’s business
• other parties for marketing purposes (if you agree to this)
We will never divulge your information to another third party that is not mentioned in this privacy policy except where you have provided consent to do so.
Where we send your information
While countries in the European Economic Area all ensure rigorous data protection laws, there are parts of the world that may not be quite so rigorous and do not provide the same quality of legal protection and rights when it comes to your personal information.
The credit union does not directly send information to any country outside of the European Economic Area, however, any party receiving personal data may also process, transfer and share it for the purposes set out above and in limited circumstances this may involve sending your information to countries where data protection laws do not provide the same level of data protection as the UK.
For example, when complying with international tax regulations we may be required to report personal information to the HM Revenue and Customs which may transfer than information to tax authorities in countries where you or a connected person may be tax resident.
Retaining your information
We will retain any information we hold about you regarding the use of any of the services you are registered for. If your account is deactivated or closed, we will retain your information for as long as permitted for legal, regulatory, fraud, crime prevention and legitimate business purposes.
Your Rights
Your rights under data protection regulations are:
(a) The right to access
(b) The right to rectification
(c) The right to erasure
(d) The right to restrict processing
(e) The right to data portability
(f) The right to object to data processing
(g) Rights related to automating decision-making and profiling
(h) Right to withdraw consent
(i) The right to complain to the Information Commissioner’s Office
Your rights explained
Right to access
You have the right to access your personal data and details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data.
The right to rectification
You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
The right to erasure
In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include:
• the personal data is no longer needed for the purpose it was originally processed
• you withdraw consent you previously provided to process the information • you object to the processing under certain rules of data protection law
• the processing is for marketing purposes
• the personal data was unlawfully processed
However, you may not erase this data where we need it to meet a legal obligation or where it is necessary for the establishment, exercise or defence of legal claims.
The right to restrict processing
In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are:
• you contest the accuracy of the personal data;
• processing is unlawful but you oppose erasure;
• we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and
• you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data.
We will only otherwise process it:
• with your consent; for the establishment, exercise or defence of legal claims; or
• for the protection of the rights of another natural or legal person.
The right to object to processing
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the data is necessary for the purposes of the legitimate interests pursued by us or by a third party.
If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
Right to withdraw consent
To the extent that the legal basis for our processing of your personal information is your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
TransUnion
In some instances, in order to assess loan applications or sign up new members, we will supply some of your personal information to TransUnion International UK Limited, which is a credit reference agency providing services such as credit risk and affordability checking, fraud prevention, anti-money laundering, identity verification and tracing.
TransUnion will use your personal information to provide services to us and its other clients. We use their services in order to assess your creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity such as fraud and money laundering.
More information about TransUnion and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.
Open Banking
This section of our Privacy Policy relates to Open Banking and should be read in conjunction with the other clauses in our Privacy Policy. In the event of conflict with any other clauses, this clause shall prevail.
What is Open Banking?
Open Banking is the secure way of providing access to your bank or building society account to providers who are registered for this purpose.
Registered providers and participating banks and building societies are listed under the Open Banking Directory.
Open Banking was set up by the UK Government to encourage more competition and innovation in the financial services sector.
As a forward-thinking lender, we support the use of Open Banking as it allows us to process loan applications efficiently, securely and in our consumer’s best interests.
By permitting access to your bank or building society account information we are able to make a better lending decision as we shall be able to verify your income, outgoings and other matters in order to assess what loan terms would be suitable for you based upon what you can reasonably afford to repay.
Further information about Open Banking is available from www.openbanking.org.uk.
How will my personal data be shared and used for the purposes of Open Banking?
By proceeding with your loan application via our website you expressly consent to us sharing your personal, contact and loan application details (“the Shared Personal Data”) with our registered Open Banking partner, Aperidata Limited (“Aperidata”) who are also a credit reference agency. During your loan application we shall safely and securely direct you to Aperidata’s secure portal (“the Portal”) for the purposes of granting Aperidata access to your bank or building society account information (“Transaction Information”). As soon as your Transaction Information is received it shall be reported back to us in the form of a completed search in order that we may continue to process your loan application (“the Permitted Purpose”).
Further information about Aperidata including their registered provider and regulatory status is available from www.aperidata.com.
Is Open Banking secure?
Aperidata are registered under the Open Banking Directory as an account information service provider and are also regulated by the Financial Conduct Authority as a payment services firm under number 949181. Any data you submit via the Portal will be encrypted and its usage tracked as part of a set Open Banking data security standards.
We are responsible for the secure transmission of any Shared Personal Data to Aperidata, for safely directing you to the Portal and for the safe receipt and usage of your Transaction Information.
You will not be required to share your banking password or log in details with either us or Aperidata. Once you have given your explicit consent to share your bank account information on the Portal you will be directed to your own bank or building society’s login page where you will enter in your own login details directly.
Save as set out above or elsewhere in this Privacy Policy, we are not responsible for your direct data transmissions with Aperidata or with your own bank or building society.
How will my Shared Personal Data and Transaction Information be used?
Aperidata shall, subject to their own terms and conditions and privacy policy, and, if your bank or building society is registered to provide access under the Open Banking Directory, obtain your Transaction Information and submit this back to us for the Permitted Purpose. By way of example, the Transaction Information that we shall receive is likely to include information relating to your income, outgoings and credit worthiness.
Aperidata shall be entitled to re-access your Transaction Information for up to 90 days from the date of your original search result in order to refresh the search results, obtain a snapshot of your data or gather additional data.
Aperidata shall hold the Shared Personal Data and the Transaction Information they receive and retain according to their own terms and conditions and privacy policy, available on the Portal, which you will be required to read and consent to once directed their via our website.
As Aperidata are also a credit reference agency they may also share and keep a record of your Shared Personal Data and Transaction Information.
Will you use my Transaction Data for any other purpose?
The Transaction Information we receive about you will only be used for the Permitted Purpose. We do not sell or share Transaction Information with any third party.
Save as set out above the information contained in the rest of this Privacy Policy deals with how we collate, use, transfer, store, delete and other terms applicable to your personal data including Shared Personal Data and Transaction Information.
Do I have to provide you with my consent to proceed?
We will only request consent to view your Transaction Data where it is necessary for determining your eligibility for a loan with us. You are under no obligation to provide us with consent via Open Banking, but we will still require sight of it through other means (ie, printed paper statements) which will be stored, used and processed in accordance with this policy. Failure to provide the requested information may lead to your loan being refused.
Where your bank or building society have already permitted access to your Transaction Information you shall need to contact them directly in order to withdraw your consent under their particular Open Banking terms and conditions.
Are any of my other rights under this Privacy Policy affected?
Your individual data protection and privacy rights including the right to access, correct, delete, object, restrict, withdraw consent, request transfer and/or make a complaint, continue to apply to relevant personal data we control or process and are dealt with elsewhere in this Privacy Policy.
Under Open Banking as your personal data is shared by your bank or building society and accessed by Aperidata you may also be able to exercise your individual data protection and privacy rights against either of them pursuant to their own terms and conditions and privacy policies.
The right to complain to the Information Commissioner’s Office
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with the Information Commissioner’s Office which is responsible for data protection in the UK. You can contact them by:
1. Going to their website at: https://ico.org.uk
2. Phone on 0303 123 1113
3. Post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Contact us about your rights
For more information about how your rights apply to your membership of the credit union or to make a request under your rights you can contact us on 01603 764904 or email office@norwichcreditunion.org.uk. We will aim to respond to your request or query within one month or provide an explanation of the reason for our delay.
Contact details of Norwich Credit Union
Name Norwich Credit Union
Address 26 Pottergate, Norwich, NR2 1DX
Phone 01603 764904
Email office@norwichcreditunion.org.uk
Website
www.norwichcreditunion.org.